Saturday, October 19, 2013

keytool: export a private key + certificate to a PKCS12 store

I have a JKS store pippov2.dev.acme.com.jks contaning some trustedCert entries (caacme, caswisssign) and a private key (pippov2.dev.acme.com).

I want to be able to store separately the private key. Keytool allows you to export only to a PKCS12-type store:

keytool -importkeystore -srckeystore pippov2.dev.acme.com.jks -destkeystore new-store.p12 -deststoretype PKCS12

Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Problem importing entry for alias caacme: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias caacme not imported.
Do you want to quit the import process? [no]:
Problem importing entry for alias caswisssign: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias caswisssign not imported.
Do you want to quit the import process? [no]:
Enter key password for <pippov2.dev.acme.com>
Entry for alias pippov2.dev.acme.com successfully imported.
Import command completed: 1 entries successfully imported, 2 entries failed or cancelled

It's somtehing which take a LOOOOONG time, so be patient.

The file new-store.p12 is generated:
keytool -keystore new-store.p12 -list -storetype PKCS12
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

pippov2.dev.acme.com, Oct 19, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): 46:A7:6C:E5:13:4C:2F:7B:65:10:42:B0:3B:A9:B1:23


No comments: